23542300x8000000000000000969250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DD43D9CA472EEE5A82506B1E1E94FB,SHA256=525E83815DBDDF384976CCE0EEBCFC044507030B593EED5D60C0E654331025A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:11.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022569D715EB9F45FEA67C36AF1A1C46,SHA256=BEA87CDBDAA0DD238FBD44783EB7DA2328C04BB21AFDDCDFE82BF2B28E372102,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:09.803{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001039034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:09.164{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49893-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000969249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:08.589{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.276{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F909D948980F81DF6D94DFAEDC6BE3,SHA256=3535D3CCDF565F456F4B764C7945B9EB523405B9E9086B4519B3EA45E9A6A7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.276{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09AE9B53B73E49FAD5F6285D352C2B7C,SHA256=D69BFC2339DA0E138D0C92A2C80A8B1DE5B2E40941B9B0BAD76530A78FC36714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:12.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC85ECBD480F686DD4995EBAC44B4B8C,SHA256=5F818A9D0EEAC31B8C1119B819620718E6F7478F4E5CC416330F3EA4F51F9B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:12.557{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1879711E0E257D650673191BA3BEBF98,SHA256=EEB2B17BBC6FACA7D8633BD0ADBCEA92834DF45261D4351698D741F6375515E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:12.745{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:13.791{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182C67F4406E734E97436FB34722F0BA,SHA256=08174B45465BD914C1298ED183108B66F208B3DF620F0A58CED7D7C3D41DD87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:13.575{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E672909C07D9B0719AE2244D6952DB,SHA256=7E5B414CB58C89EE8446D16A8B8A8EE37F92A674D83D77F00651F1C8FB3A0FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:14.593{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7309DAE23397564710AB3F75FA84B3F,SHA256=3F9594D654C3335CC5F0F7A5D807C794C348D742106557F7D0684C73E1275FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:14.807{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B667CADE6CE225A7843B136CE96A5F,SHA256=A4779824C9DB71E0A51FF9E57E6A2F9649D69B9D03254FDE2A84AF1BB86152C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.455{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61169-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:11.378{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58858-false10.0.1.12-8089- 23542300x8000000000000000969254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:14.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F909D948980F81DF6D94DFAEDC6BE3,SHA256=3535D3CCDF565F456F4B764C7945B9EB523405B9E9086B4519B3EA45E9A6A7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:15.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E144829FA0EC3FEF19E402007C07C6,SHA256=91138301C008BF70C930320CBBC6BB37368A3EC8575BFCA3444C0EBC33A7F371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:15.623{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98527F520D7C53D5A69ADCFB1C627BB5,SHA256=2803D66AEF87B79466FAB9EF7BECCDD45ADA82FB381A7D45BAB2C5D2C56C11D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:16.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27D27033CDB6BB52F59DF62D5D2681F,SHA256=9B0E0AA99A3B9804B3A93915284224E519CC68DFFC0926492A049B2A92CA307D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.923{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AF02C891A5510A67BBC97DD2B49862E,SHA256=9A779741EB2F4B31F1D76AB677052072BDACA28BF7650E69BCFBB33A960E957C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.923{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=815B72B1E0698F2455192C4FEDA4CD2E,SHA256=1ECC59DDA7EFCEA5CE726FDB71C8BF0F08507B9D1613EFA551604AFCE2075773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.654{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0298A9449E2072A2CD26A6EFDAAE9A3E,SHA256=8FD26FCDFBE437FB53E567EF20D3333484E6E0312D4CE04A1D4E29E9D5D79CFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:14.884{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52870-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001039043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.423{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001039042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.423{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:16.423{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfa6547b.TMPMD5=A17B66D50B2357EACCE2ED2DF6BB26CA,SHA256=94B227138FA3BBDC703334C2B58C4ADB8CAEEC359A8FC16A5D99B6841C804924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:17.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9202311685F38F643AABAC7A1C2572,SHA256=15F63B7D6A8950CD653DFA24BAD171D0B53AF9ECB9DB46628DC528A4FEE9812D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:17.675{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD9B0057B5C1843DC6A6A61F012C833,SHA256=E84C8815093989EB40F99C3D6E2E6DB55712C0AEE25529B3E64E0DAFC8AA71D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:12.878{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58859-false10.0.1.12-8000- 23542300x8000000000000000969262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:18.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B825DCBD9E6C82820A99B1917019F270,SHA256=DEBC089D85134FE4A147B0B875F995AD4A158B73D3F3452F81B91BC834BF9DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:18.692{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF47F6799ED7D0C5F2857922C876A5A,SHA256=2C42CDEEB057A266EFBFAE77C02CC826CC20F455659B0CF222B89A3825156384,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:15.584{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52871-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001039049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:15.584{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52871-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x8000000000000000969265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:19.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA33293EA12BAD8A7B91F45E870C3BA,SHA256=E2F41605468EF59AAE3D818BD5DCF7164069F19447C39E4408ADA5B8DA506D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:19.707{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F6D410B2917C28129907B6B48C5E76,SHA256=FB7E7B53DB20A7FD77DC0DC2B332D74CD09871BCC62A3DAC004E2604D678E98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:19.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73DE47C4BA9E882F45E245D4BA0E341B,SHA256=5CBBD8DC18BCEEA7716A5FD1112E9688BF0CDF19A167975630495F306E0571A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:19.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C8FADFC53218638FD3DEB1528588A54,SHA256=BBE2C6849966D1F2358D51893B5F02E88F69949CDA9DA27AE573B70B6CBA5993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:20.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AF5012344F806F70E128DA51A00304,SHA256=4EB1441C9FF0E92B2B978F5DDD4042C22B32AE93182092BC261609671CBA031C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:20.791{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2E970BC25236B72F0AB036A26A421E,SHA256=5FE58AF95B6147D0FE8406B4D2879CDE8C7E2D5407D90B7A5115A1284207ECF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:16.278{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55182-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:21.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6648E3B4B3F2DCEF1D3FE8B5A1D6983C,SHA256=1DEFE645CED6188AD0288F131538F91B4C6ACD3178AA2C0CEB1EA2B3EFCEF303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:21.837{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8ED4AD2939E312764E4B4D2104B28C,SHA256=8D6A856AAC70885E08D842BB8CB3DCB042E9D4981DDC041DA2CFAA6F4908D2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:22.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB10EB0C68C12AF0A5792266E978F0D7,SHA256=36445036063159ECD5815022DA9BF1CA3C2DEE32C08D0B5B490A172FF3379473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:22.852{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B10C5CD22DF3347110C9619F53F61F,SHA256=B0CDC62ABD7073946314F22730C7DFC3CF541F3B27E24BE40D4B06BE6C9243F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:18.800{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58860-false10.0.1.12-8000- 354300x80000000000000001039055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:20.782{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:23.872{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D23B65E52DF8E8DAF47082130D483D85,SHA256=45083BED2A2DE62A4A06689843E49C869CB845A566DDD915C336F31CBB366F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:23.871{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AF02C891A5510A67BBC97DD2B49862E,SHA256=9A779741EB2F4B31F1D76AB677052072BDACA28BF7650E69BCFBB33A960E957C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:23.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D983719480258DDBC7620B23C670BAA8,SHA256=0B79DCAA2DCBEF740811D3B5A4E28DC1167422ABC598D485C2E787D2DADDAB3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:22.222{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000969271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:24.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F189A2A96799FE306BD1CC2A3C4721,SHA256=CA488623BA0BDADC95E9AD631B0126B90CDB80912080BE1F2B13227B55B4AB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:25.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219572C7B828EFB4DE273FE174C32AFD,SHA256=E6577E277684CD6D16DC4C54A0B6D16CBEF17991C3A12077973BE6FB964B3647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:25.103{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B130A31AD8A5E366176E712381E64D,SHA256=A6068C104606E0AA786E093F1B56F76FD9392003DA02ED3423272CD2048EB8EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:24.721{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com5692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:26.389{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4265MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:26.333{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D23B65E52DF8E8DAF47082130D483D85,SHA256=45083BED2A2DE62A4A06689843E49C869CB845A566DDD915C336F31CBB366F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:26.118{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518DA042C8827E5FC42E1B042A09582C,SHA256=F58455EC18D6FC49F213B400956DC700416735058676E25099FB5AFDE869BE4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AA-6151-9078-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.839{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-80AA-6151-9078-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.839{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AA-6151-9078-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.841{69CF5F33-80AA-6151-9078-00000000FD01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000969287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.511{69CF5F33-80AA-6151-8F78-00000000FD01}23802028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000969286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1759F42BF5B7880AD992A9864855F7D9,SHA256=4E0F28B9C6DED3FDFC84402C12A8B145FB87C8B642E4BD1DA69B07F65E572A2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AA-6151-8F78-00000000FD01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.199{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.183{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.183{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.183{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-80AA-6151-8F78-00000000FD01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.183{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AA-6151-8F78-00000000FD01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:26.184{69CF5F33-80AA-6151-8F78-00000000FD01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000969317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AB-6151-9178-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-80AB-6151-9178-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.480{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AB-6151-9178-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.466{69CF5F33-80AB-6151-9178-00000000FD01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000969304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.433{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4658B002FA5E7D0DB3396B354D94CFD5,SHA256=6E4AF55071A0FCC8F1C6E1D28D5C644D0462561F1CD2ED9AB2FD8013C81CF48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:27.402{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4266MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:27.132{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F680389FD70F1272B90D7CA13879AAE,SHA256=A13C759A03E09C89081B7F9540E1B7C3855AF2FA5E3F3FB84002C0D334A5D203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F64FA6CF8F679E986ED1BC2F679CF6,SHA256=DEC412A1B5E346AF7E952442615DB43ADDC963DD73CA1B90D1A646329A7FE04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73DE47C4BA9E882F45E245D4BA0E341B,SHA256=5CBBD8DC18BCEEA7716A5FD1112E9688BF0CDF19A167975630495F306E0571A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.089{69CF5F33-80AA-6151-9078-00000000FD01}32523720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AC-6151-9378-00000000FD01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.855{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.839{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-80AC-6151-9378-00000000FD01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.839{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AC-6151-9378-00000000FD01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.840{69CF5F33-80AC-6151-9378-00000000FD01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:25.762{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com3939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:24.785{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58861-false10.0.1.12-8000- 23542300x8000000000000000969333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B7B739C1C4727A8DCAD6E45E4369CD,SHA256=840454A17648D2B0BB2EE38B0A6A8393D5DB76200F35A3D109E25A768E887E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F64FA6CF8F679E986ED1BC2F679CF6,SHA256=DEC412A1B5E346AF7E952442615DB43ADDC963DD73CA1B90D1A646329A7FE04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:28.216{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8D2CF5CB95547761A14CF472B1E7F3,SHA256=08B6AB5A7AD18DDB7903CDDC88DBB7F1C25E5B3E80A64DD901417F90E6543633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.355{69CF5F33-80AC-6151-9278-00000000FD01}24601404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AC-6151-9278-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-80AC-6151-9278-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.168{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AC-6151-9278-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:28.153{69CF5F33-80AC-6151-9278-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:28.185{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8FD909CF34D44301E437231EBAC737,SHA256=590D00290997022B3EF727D4A52906F50FAE95C6497259AAAA8486A7CEB1A9D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:25.893{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52873-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000969362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.730{69CF5F33-80AD-6151-9478-00000000FD01}716916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:29.315{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7111EF5BA7D86B72260A563490FC5843,SHA256=16245C96DE697D2DF91D6EFDEE67E36DE4943F2D6C6E425ADC0405807E1C1327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:29.246{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E1861623ADCC5D9C8A83C85A153730,SHA256=21A774E9BFEDBCC59CC0EF15AE61D9EC4E5714E9D6197899230464F0FCB574A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80AD-6151-9478-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-80AD-6151-9478-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.543{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80AD-6151-9478-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.528{69CF5F33-80AD-6151-9478-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001039071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:26.541{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56987-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000969365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:30.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E684BAEC815776310B0133B0A34A52B0,SHA256=DD36B61B929B26F0D5DA49E0CCA435514DC2343195061007B2FE3B0C7CED0E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:30.267{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612242C9B8488C3C3BB2647BB7DD1E1D,SHA256=AD730EEA7767FF47EA8EC7F29A5D494EF1F5661B4F6420CFBE6D545382A07FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:30.246{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025D94CF621019C6DC5E0FD6DC0F13E1,SHA256=68F91ED410A60AA7A298447E69F55796049D98D0BDB6B98E85690D07800D5292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:30.246{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=445ED1CB9549DD3973DA82C24B137C9A,SHA256=884D1B5708DA86FE38A519A5A74D19A4D9CD77B3BF5F715F47B1279408100514,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:27.205{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61368-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000969366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:31.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4012FB04081534FB5970D7E3A48598F,SHA256=26D73583AAA6926D0FD37F69128FB689F8F19B2C97FF8F3A9A7AB1820CD151E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:31.312{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD2FD79124DDF35D7CDAF8F4D6A5772,SHA256=5BA3A5E70FCEE89D187C5ADF72C8AC526C48004AE814A1F19E8E884B54FD0055,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:28.961{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-58862-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001039078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:32.328{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBC59F028BBACA07CD76F4A3E98BD4E,SHA256=D25B49A77E5BE7B66A33B690F2552A46CB7F0FB29F0185EDABA2A314E967E294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:32.214{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=36BD2AB25939DA3A323E149C72D4D0BD,SHA256=51AC5FD4A95F2C294CE3A6F8B56F7BEB23ABFE60C52CB2CFEF15A3AFE8C3D706,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:27.907{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58862-false10.0.1.14-49672- 23542300x80000000000000001039079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:33.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B42010A92714E753C5C0B98FE8F9ED,SHA256=77439C84B22783FFC3EB3474997732FB05CF08A5B0781E4586E055005ED090CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.956{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63670-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:29.801{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58863-false10.0.1.12-8000- 23542300x8000000000000000969370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:33.059{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=109F2CBD5AB434422C71CD0964884FCC,SHA256=71AA39BEC5B3A554F21C0DD7EBE853A27E4F62C9D7F8E341AE58485524FD3695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:33.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC2880B7A5123CE6138495AA1A0E72C,SHA256=BCBE81CCD14A9255EA70E70CD3D18B8FE4CB01D92719E53C20AEF4A20D171B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:34.379{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC56A1958FEA2BB58B1308B2048236B6,SHA256=D9032113104C15B4FE7B518471087F16B0E01F00C944F607D561659123BA8ACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:30.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-60406-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:34.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9739908C7F19FFB573F4C345530C9E03,SHA256=EEC17B334063C0F4425B047820C45C1255724E83A913066CAC5DEB7D30E69239,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:31.850{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:35.594{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:35.409{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BE22CF8FD949E1010529C6971B234D,SHA256=AD6BF8C9863D1CC7AADE97C78D0F578591A132171000329F709F65D35B846579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:35.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D2D6429778605B86D7B78B9DA3F842C,SHA256=8629E7A062581D06D0D83D922F191D5EB17638145CC4BF8896C38376D1D30DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:35.043{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CAA351AD85517455767232447CF054,SHA256=03C9A3E2E3EF85DFC8EE66EB6AE5068303C70585473FB1C62AF5A0C9321D4E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:36.909{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F55B5F7FA08D4BBFDBA287E3E03DB94A,SHA256=F0D03685A376E548AE95BA9E95341C4BD0BEABE5E268B22BF41F74257BB6A569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:36.909{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B969F6C14087F405236BE316056D503,SHA256=ADACCFF629484BB60E38A4C36FF8ED102BE7CD791A9B06F7E2E4EB68B8D96A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:36.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A663ED510007FC878D23D6E16D2B4F0D,SHA256=5693C8EB4C6CD0DAADC4E3D03385CF939815B17E1066DDD2EEDD833AB068E4C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:32.872{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62333-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:36.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29119FF425617276B10CBD1D7E25B18,SHA256=CF37F8B43292A053318F0168581F2C2E55BB6B1DBD9DEAB27B0CC520A5E570D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:37.524{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD83ACE0850BCDA65EEC03080015D15C,SHA256=512FE21DBC954B33BB0BB651E9645BDDC3BD8F246D5C84864CEC55CF7B4998F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:37.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D7D011AE8E2DBD02B30DA0EF280CD8,SHA256=832FEC70801F16B10D6496BCAC473FB57B49721421A0E3A362AF629534341110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:37.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28CEDD7ED3B408C4B9AB62A8B53E5C5,SHA256=58DC17064A401E877E670D117974EBF6C321C6AD3816417FF79E570B0D396BEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:35.270{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001039087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:35.264{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49952-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:38.907{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AE1C649AB2D406A03D474DC498C41CCB,SHA256=845543B340B205C8E916264DB27FEB04C61D1FB051270F9399010D2CF3552432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:38.539{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418791D07382ABCBC5008B3A5D30BE5D,SHA256=87341089CFB3BB2833B911ADB00AE1A1AD6CC340AC1D8474D6702B342EA8B631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000969396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-80B6-6151-9578-00000000FD01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-80B6-6151-9578-00000000FD01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000969385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.418{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-80B6-6151-9578-00000000FD01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000969384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.403{69CF5F33-80B6-6151-9578-00000000FD01}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000969383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:35.770{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58864-false10.0.1.12-8000- 354300x8000000000000000969382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:35.041{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50608-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:38.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C9A7463935352B65022D74542966E9,SHA256=277DF39F053C6DF805CE780502D53FDFE471D67545D4E438AFCC1CEF77A234B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:39.656{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0E2E812E39EC25B59394699BE26E48,SHA256=990C59753E3DCF87DD4F3854D753A51A603C8D80706F24DC9BC2FA6225B17AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:39.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7CCDAA95E58E2C7752FA09D6A79CE35,SHA256=7C67DB9C7B62547E2B1273B5FD2A7FE395B6C4B67A25A7B954FD7710CDF0F251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:39.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA62BFDAA7435CA2C33B5B170EAEC24A,SHA256=AA12A92E12F0D9F37AB58C3CD312D588F7FEEC9D7A39265046D2A544DF6B687D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:40.673{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F703FC4684BC4318E6A27777F94C81,SHA256=F99CAE6D9C3EEAFA585D5D565E17A1F06A983604309F91032943DFCAABCC2834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:40.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6254D68CAD133EADACE4506412340117,SHA256=0F194E51DCA16740DCA473EAFBB0A8A364129BB1791CEE00CDB4EED869A92115,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:37.746{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001039097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:41.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E1ED5E1256BDE395991F4BA9CE7023,SHA256=608F946039D77350856CAE15AAF78928C42A41DE32E814EAA7BA13CA07973C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:41.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD5B3101CA16BEC590B12B0287C7F99,SHA256=CFB72DFA3F01712DEC7FBED717D5CA711D41D501D665547FCD6559D1D99B44B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:38.841{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:41.433{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F55B5F7FA08D4BBFDBA287E3E03DB94A,SHA256=F0D03685A376E548AE95BA9E95341C4BD0BEABE5E268B22BF41F74257BB6A569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:42.734{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1600D209E3E3E0C982F1A1070BBEEED,SHA256=2C687BD0AF43C74EE6BD48591A41537A7FCF5FE03759852CA5FBA3585500C743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:42.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78A9D1560E84B8F74DC483406A04436,SHA256=91D32446ACBD3270D5CC1BB77633366BF158DA5AF58627AA1BCF0FF03B3F2CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:43.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E8A1F13681904C3A8A975440B5E19F,SHA256=20DD812F1CCACDFDE3E710A171120BACEB40FC3CCDE8928A2C45CAA7AA6C5F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:43.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DCE2301693A9D6C5A0CECFC1F836E9,SHA256=3679A5F97A5768904310B397F4C464F5178616212B99E563C1663ABA5857BE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:43.652{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5DD622F40D09CC5CAE122B0DA6795FF,SHA256=DBD488544333EDE17A3C97736A8C89C077EF7602BB769C524F0F73ACB9EFC368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:44.833{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEB4A8EA22FE78AF51012CA9C362B1A,SHA256=FEB9A8904012A7F667773CE4BB76BC1141021ABF6585312F846C0FD7B9E9344F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:41.743{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58865-false10.0.1.12-8000- 23542300x8000000000000000969403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:44.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96A9FA224E571976FCD211092EEAA17,SHA256=BA6318ABACD628538C0047F49407267117ED171C7BFE739045F8E9F75DC5C4D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:42.040{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53008-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.853{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B98D7C5C4E7FB112EDAC893C7C55A3,SHA256=92D780803C1D7B1752593A483B526FA481D677C1D5780D50B55C18DEA7C77B2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:42.610{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55433-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:45.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63ED821F6FA037C92FC13A16D625643,SHA256=4C2104F43763FC172E11B729C9EBC83F425FD73A93CF015E19E30B78C596CE35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.816{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80BD-6151-E778-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.816{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.816{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.800{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.800{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.800{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80BD-6151-E778-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.800{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80BD-6151-E778-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.785{5EBD8912-80BD-6151-E778-00000000FC01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001039112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:42.878{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001039111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.302{5EBD8912-80BD-6151-E678-00000000FC01}49486748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80BD-6151-E678-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80BD-6151-E678-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.101{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80BD-6151-E678-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:45.072{5EBD8912-80BD-6151-E678-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.903{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92E0EE50DD6157FF8DF17CBFCC7C6C3,SHA256=669C8CE7B85506B2735A40885452BC11F24CDC070D01D9EB867494D0CACD0BC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:44.676{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55786-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001039130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80BE-6151-E878-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80BE-6151-E878-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.503{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80BE-6151-E878-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.498{5EBD8912-80BE-6151-E878-00000000FC01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:46.082{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0CCFE0B5B40A0A04D91E3306D7AFC26,SHA256=9F7057D47F5437C6E274BC3E4AA99FA20C3F5AB2425BF4427E2148B35B6E4BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:46.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29064D580E52E3E72379E4718AD5DD3A,SHA256=F06EB110732EC42C33E679A503AE71ED7A90F5612E14D9011A24139D3E979592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:46.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371C7235CB9A96BBF0FA05C37E64EDCE,SHA256=B20AFED087AD94F8C1DA456449B657E6D90F8A87E54F63771817344251DD4066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:46.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EA79CC9228A4948E570D8BA0A42E18A,SHA256=AEA7A0579FF833ED456AB17E1F38AC8B8B0A858FA5F960950B03EF0098A98A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:47.917{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F266C8417257CBEC8933CA22C39A5F81,SHA256=5A6F1A580CE156887ECA596E144ACF600E33A7862305D868D15B8EF467B17FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:47.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD9F37E62416C892B85BBD3DA7EAE40,SHA256=C55686D2EFD1EB26565EF37664FC0C8AECFBAC5AE388EDE16C3725623ADEAB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:47.518{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00CB8E18B77700663C1459899F9FC871,SHA256=FEC52A409D47939E3AC019A18EC76FA02ADBE68A39ACF6BDDA9F648C1F4E5C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:48.932{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B0934BEB20C7DE6EB45E7D1131450B,SHA256=CE886F90DF986FD7BEEED752F6D0AE629F45CD1E162FB5F6BD77856F8EBBE8AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:48.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E789A60A0C163F4AEAA9ECDCD3AAF0,SHA256=F5FE2DA345769F3D912CD5DEEC490EBB63247C6B980BC80F92B7314C3ADA5866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:49.948{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BB838D49117FC86ACDFD036090B316,SHA256=6C7F3AC168E8F502DE520CF0EE665E7321D1E66D7F76F814FF9161E5BC1EEEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:49.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF99FDD9CF0FB840EA7B73880934D420,SHA256=0662392AA69E6109762E74EAF292CF34A969F0CCC02D29445CC1D3BFCFBC44E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:50.963{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B47542D11CCA056E2E950407545377,SHA256=BD77D191E0C7B0F7B6B726D6CB948566723D9AB3F1847024752E54989FB2C427,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:48.809{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:50.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE719CB6A8966771D0D9D864DD80461A,SHA256=4973722385F1B9EC700975E5E560C8D9F59B8E07E5F3A671F7C5D3C348C5760F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:51.995{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8EE31F3512A9B784818B5C8F71619C,SHA256=6E5A50FE6438E4930A6E2C1076E978F34B2CE4EE35AD9C3F987780EEA3C82492,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:48.388{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000969416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:47.696{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58866-false10.0.1.12-8000- 23542300x8000000000000000969415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:51.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B149CBD63694DADC9BCC1F6D7C79F66C,SHA256=8B0205672B59AFE32746F63622EA79CB92B6E83B385A679A5FE14533C0A34CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:51.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371C7235CB9A96BBF0FA05C37E64EDCE,SHA256=B20AFED087AD94F8C1DA456449B657E6D90F8A87E54F63771817344251DD4066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:52.422{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C6ADB42E244B0670E50F3FB88CEFAA,SHA256=17ECD9FB7FA8138F95C8157785010C151C8B1CF56D34250ED83E8B2DB893EC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:52.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED740AD7740F403B2EC3942F2B3F33D5,SHA256=00972CF1E7C35FC3D4D6329E9696CBEA7623CB50E35BA8CCC44E8ADA8A32C6DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:50.284{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59551-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:52.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=631687F91EBF60F1AD3BA0B435F91AA6,SHA256=D9381918B89FEC6D2B7FFC3EDAF7BF30791A761BA15C93989A969A7A5F78A158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:52.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CF1CB623DCD0BDE51933E13873DD916,SHA256=1C018DAB4AD7629312E8E2C7EE110907DF4A7304F5FA48628EB2A63C82F9736D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:53.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26149334E82203A872390C9730D4B0EA,SHA256=705F92BD61AF5023D70C5282789A78065341A1B44D0F317DAB2E946F6E2AACC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:49.190{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59512-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:53.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5101099E38B270A4B2FF82DA1EDCFF8,SHA256=82306E23D7F2A97507988023466A8EA0822AD874B3C840547DE4384DD7CF5D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:53.017{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9ECCA1F35CE06224D6D62022B2D06E,SHA256=DB05632845ED2093AD7FAC560D7BEF47AD0106D1DC4D4EB99225197540DE4A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:54.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77ABE916845634D6A1E166127723B163,SHA256=D959EC503F4DA46CB5457512CC6156AF4DF56906C360043ED3100D021DA1D992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.798{5EBD8912-80C6-6151-E978-00000000FC01}54245476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80C6-6151-E978-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-80C6-6151-E978-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.580{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80C6-6151-E978-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.565{5EBD8912-80C6-6151-E978-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:54.033{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769935424925F8A8F20F0D3F07BB040B,SHA256=12C841EDAC515A126D798B4797A95A0046B7B00A89D560CF16E9AC9062E96CC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:51.128{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:55.422{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AD01BB2DD12F6784E16F87EA0D9B31,SHA256=096B48AEF723822E0219B201CFCA670AFB3DDE41AEDF5FA822A84828FE6CE019,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.966{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001039184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.966{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001039183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.950{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-80C7-6151-ED78-00000000FC01}5192C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.935{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-80C7-6151-ED78-00000000FC01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.935{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-80C7-6151-ED78-00000000FC01}5192C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80C7-6151-EC78-00000000FC01}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F30-614D-1400-00000000FC01}11041400C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80C7-6151-EC78-00000000FC01}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.865{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80C7-6151-EC78-00000000FC01}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.851{5EBD8912-80C7-6151-EC78-00000000FC01}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001039171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:53.773{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.617{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=631687F91EBF60F1AD3BA0B435F91AA6,SHA256=D9381918B89FEC6D2B7FFC3EDAF7BF30791A761BA15C93989A969A7A5F78A158,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.448{5EBD8912-80C7-6151-EA78-00000000FC01}6400324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80C7-6151-EA78-00000000FC01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80C7-6151-EA78-00000000FC01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.264{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80C7-6151-EA78-00000000FC01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.249{5EBD8912-80C7-6151-EA78-00000000FC01}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:55.033{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE44FA5D6197A19EE09066601213BC74,SHA256=F715CEFD9537E586C9251C3D09F4D5C3845BB725158CC2A55FCEA0013A8BAC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:56.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C64EA07B6A79679CF8461D3DD4D3F8,SHA256=281F96932AADA57DDB08D6A71DC06CD3D3C6CCFA2DBE103847681EB4C25D0321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.834{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95365009C599C59A3D7A295891C7AC72,SHA256=7CF113F35D56BBA52F95C79D19C9670857B1D88250658C20EECC90EB74722092,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.703{5EBD8912-80C8-6151-EE78-00000000FC01}62844384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:53.887{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001039194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-80C8-6151-EE78-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-80C8-6151-EE78-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.550{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-80C8-6151-EE78-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.535{5EBD8912-80C8-6151-EE78-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001039186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.066{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37758CBFC5B2C5F07AD0A5C083925E1B,SHA256=BBFA9A7232CADA5A7D6A362F97E965EB298C39F943B008BC44C0AE642C681DC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:52.727{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58867-false10.0.1.12-8000- 23542300x8000000000000000969428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:57.750{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4960FCE7811E5D13540DDC9BDF42776,SHA256=4EC248D0872AA6DF57FBA87263BBDC8885A3319515B75C493C53A7A8AD4E11AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:57.434{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D229B7A9E595864CBE2B5A0254814B50,SHA256=EE367F433E6C7E5A1B9B60BFA85280F6FD476C4D0ED84AD52083E620C1A32AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:57.434{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2F142E3897B0E398DCBE34AEEA78A3BE,SHA256=BDCCDAD2E6B1B19D42312688C9E7766C48F95A00E754852A9FA8E84636B7CD82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:57.180{5EBD8912-7F2D-614D-0B00-00000000FC01}6242836C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001039198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:57.102{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF30CED3DC3D5EB3BDFEB3DDE3475DC2,SHA256=70A5CB86367577E6DDFAEB368C45751B14AF8F005D63C3BF3B72B9B73B230EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:58.844{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5BC1C884FC1FB8C39D322CA3C3FB6F,SHA256=1449BBAB3C4EFEE1BF8014433B87CB845CB44371042D8516DD68CC837E646D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.876{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52882-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001039208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.876{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52882-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001039207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.768{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local52881-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001039206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.768{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52881-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001039205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.760{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52880-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001039204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.760{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52880-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001039203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:58.118{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFC280F9E1090140DE874E8D595ABFB,SHA256=8DF4DC7785DC7519CDAAD4011D1290228347BD09C8C3E9ACA4CFE1BC87F96F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:58.080{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0588086823CE8C40007BD0A4FB551885,SHA256=0385E6805103E2448DE911494890C2D365F5FA12EED0554F1453B8B3209E4D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:59.953{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DB222629E1210395F14A40F0606B74,SHA256=BAA89FB71D86AB5477AA4591689BED0D8F90479A996096245EC2F2CB396F242D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:56.935{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62515-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001039211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:59.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF3D54D5AE1E7B4F6FBFE23B9BB297BE,SHA256=9F098C9B2823EF6D9140A16F82F9558396CD13AA532668772785DFA05601AC80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:59.132{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0694FF3CFF17DB93358CD035FAC22BDE,SHA256=6142DB2196FE92E7C0B23341223FE6AD74CDEB5D10C974E8D68AFC0CE8DF6835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:59.455{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4266MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:56.364{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de52209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:59.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118722B730A2C2CB1CA33B30A698EE26,SHA256=6B86B3B5C25FFEED929E7E8B66559F03444D94720D0D6DA6AB8523B78A98780C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:59.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A760D6745932BDD3D694525A085547,SHA256=EF6A7707115CC34D13C2E8955DD2718E631B9380E9877579A335194491F83E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:00.967{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE61F2EE320FC76D0988E20E7C924FFB,SHA256=02B16FA2012B5C485B3FB73371FC0DB58EF0A970119E9F5494E8AE1361C3B68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:00.162{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C076EFEB5612EBC2B74C494CAEE53E79,SHA256=C9578F7D53AA15C559271F4BAED8E4D1B7DAC524E3BE35E8048BD9C6D64E16BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:00.469{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4267MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:01.195{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4407AAFD4015542979AB886357FD8C,SHA256=488D865F713310ACD7B59CA4F8545199BF848A7CB8C799B95AA6EF642DAF3616,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:28:58.758{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58868-false10.0.1.12-8000- 23542300x80000000000000001039215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:02.214{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8E578E0A7D66DAFEC1EF94B256770A,SHA256=58EA2047651576D7EFF44383C2641E5984E935F489F62140BE162B2FF35248AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:02.001{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F52CACAE43DAD8ED07C65DA8335C36,SHA256=5A904BD79AA01C3D66056FF57D3CB7F686F750CFE0B86FEA357CCE5C9CA06ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:03.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD95243D8EB9707FD04AEF6843D3CD6,SHA256=3F364AFDBE597E64912F81EE93EB04BE72560F9D04435AC4F8EDACA5D2D590A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:00.719{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:03.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EAFEE5BCBCF0BC308CE0034F60B897,SHA256=73068AD35766724CED97DF15A4F439703B09FDAC1222AF3FF41564F8EEBBE0BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:28:59.838{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000969444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:01.510{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50745-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:04.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A91467CF108AD9B88C596A4DE8185C63,SHA256=E9D75CED9F14D70C74D73083878C2B5B0C76F2F77BB55E656B9CF2FDFA1E39B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:04.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118722B730A2C2CB1CA33B30A698EE26,SHA256=6B86B3B5C25FFEED929E7E8B66559F03444D94720D0D6DA6AB8523B78A98780C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:04.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983B71F445A2AC2062FAE8B635037C26,SHA256=FEF01264E0554ECD55C8E36154D4ECBF6A39A6DBA78F2F5069AE2772EA5DCD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:04.245{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDDF93E6137587525145240B57E496B,SHA256=101AB999C977EB0631E2AC174DBD6154377C5014A424D975DBBFD412136DE2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:05.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0675AAB055139E961F14303AF6B87C99,SHA256=844161DCF41DC0F3DF82DF27604B3EBEE83BE28D4321B3E7FA925C7ED3E3DBBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:05.859{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:05.260{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2512CEB3342787AAA6BE400A5C654C34,SHA256=914B7FA7BF3B2D64047443E1EEFB95B43E8E186891511BDD823D35C36A01D8DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:06.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF64041C885DFA344C1D2D97A3CE136,SHA256=2376F82F861288A0F8286F37B2267C456B661EEEA2B9C8109CF6C65D4716738B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:03.761{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58869-false10.0.1.12-8000- 23542300x8000000000000000969446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:06.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1FE2CB74009F23C1FF06A3BD5124B4,SHA256=335B39F15503709B54B88295D7F62CE0B15352B38176542EDAA5A0CBB31CE5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:07.593{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87F17FFCB16ABDB3C44D97F424B92053,SHA256=AADFAFECDC162E6BB89125B4C2555A0EA22E619A38E93AEDC8D4D707A234C48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:07.592{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0691F3A6A0FD99ADE1FC2DB6639F602,SHA256=A6CB30EB7B50F2757694CE6327975B1497A848C326FA60EC3D05BE7AFDDE4450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:07.358{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DC0BFA998888073E7A8C431732C7B1,SHA256=D46F35C762100BE89D7348B71C354866734CDF7C2790ABFBF65410006C0B9B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:07.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77794D88BD69334B45696916FF20A392,SHA256=AFBD3B49C82DC2C1935F6452094618DE69E9CD4ADBBC67355353A0EF8F41912F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:08.344{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFDDFE4358E10175421883BCB818989,SHA256=DFF1FCC67D26A617EB62478A069E839A98B86CF1020BC6E997E2664130F77D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:08.990{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87F17FFCB16ABDB3C44D97F424B92053,SHA256=AADFAFECDC162E6BB89125B4C2555A0EA22E619A38E93AEDC8D4D707A234C48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:08.372{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D570884B1FAACCEECE67E17CCC4F8809,SHA256=00DE23857446ADCDA005E54327393750704ECD6DCB47BCD39C68077B5A922ABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:05.946{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57219-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001039225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:05.819{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:09.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A8CF5CFB26712402CBD608D20A11F4,SHA256=AB314574B84A2788423FC75F6775BE327CD6914A4522B57F11D3E5D926EEC956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:09.373{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962F07668AF6500A3201EA838514896C,SHA256=7B2F2242167DA1BD5318E56E574A14C5231864319CE68F10128FEB3B764F35A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:06.756{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53394-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000969451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:10.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9830D4D70906411BE7C2FEBC2B1C028,SHA256=F7C0D1BB9C412A6D1510138921983A88B44E0B19F74474731A7B840205D29774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:10.425{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC867E1646A600567B8C6B44E714FF35,SHA256=ABB57D8F1C2C8AE0B74739C3BE9B6A4FD5DC383712602C6DDD023913E5D89483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:11.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E646E0EC7D99212F8510ED43DF25683,SHA256=2ED0A4A74449B3E226E5E71D3F17FDD60BB316CF0B4C2CF481502FD63862E0FB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001039245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 08:29:11.629{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007ac) 23542300x80000000000000001039244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FA38D930A9A92691993DCA3E752ADE,SHA256=102BF5A38EA2E2D9F49906B2C8B6702F5AF9C30D7AD7CF29CE7EE1378673B608,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.456{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.425{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.325{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.293{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.293{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.293{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.293{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:11.225{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000969455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:12.844{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0DB57BA3637D8D3C5A01C3861F9395,SHA256=96B8FC20E2E52635DCF410BA627E1B0C02EEEC622E6A95B2131EC15DC5CDECC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.782{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.466{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0AA34E51E830C3F859CF94940AA3CD,SHA256=81EC88F88595E38D322766FC500249DFB1E2A879EBE623524CEE8C094F1498D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:12.766{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:09.790{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58870-false10.0.1.12-8000- 23542300x80000000000000001039246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A44210E00BFFAAF2CC2F7488F8C3F7B6,SHA256=6A7EAB65E4EEEF248AA1FB58D2465E9CAB0BAEA7E37060CEFB2D5811C3480539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:13.923{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527413CBFA8C019528C69A41E997499A,SHA256=69BB2F5A1F66F29E3810207CEA42CE8B54656C8A9B92F55FCBE88938F19BBDED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.796{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DC0767FA3C82773EF4CC6F533A7D1BCE,SHA256=1E7034B7661910832DA5EBA78025DE260E7B1352D33AB9DE4506FDCF5DA14B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.796{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D229B7A9E595864CBE2B5A0254814B50,SHA256=EE367F433E6C7E5A1B9B60BFA85280F6FD476C4D0ED84AD52083E620C1A32AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.534{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED11CD25ED8D2F6381993C97719079B,SHA256=451944F37FB685AF02EF1445FA4F898ADBCC5388243498EF4AF206E46D8B46AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.397{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001039260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.397{5EBD8912-79BF-6151-DA77-00000000FC01}21525336C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001039259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.381{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001039258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.381{5EBD8912-79BF-6151-DA77-00000000FC01}21523036C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79BF-6151-DC77-00000000FC01}5112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001039257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.265{5EBD8912-7F30-614D-1000-00000000FC01}3802328C:\Windows\System32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.265{5EBD8912-7F30-614D-1000-00000000FC01}3802328C:\Windows\System32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:10.883{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000969458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:14.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16480567290D14858EBA312002D40E4B,SHA256=676C8219CF6B8F70D03F4D68554B7398897A82544CD72CC62EA17C7CD8526957,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000969457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:11.400{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local58871-false10.0.1.12-8089- 10341000x80000000000000001039294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.589{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.573{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.567{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.567{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.567{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.561{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF95F7AD9AB3389D581E214C14BCB15,SHA256=E22B3EB7AB1676AB6342C236294D61D63635F71F1BD88E13592A03A37013B661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.535{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.535{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.481{5EBD8912-7F30-614D-1600-00000000FC01}1268512C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.433{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.433{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.411{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.411{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.411{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.311{5EBD8912-7F30-614D-1600-00000000FC01}1268NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.481{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local61155-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001039266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.481{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49262- 23542300x80000000000000001039265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:14.065{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24D104079B278EDDC94AF640BD8BC9E,SHA256=9457777C03A0574B7F84B823B79B408CDDBAA4A06EC6913F9AE2242A8035C0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:15.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5098BB67B891DC30E07AE180AAD7B00,SHA256=FFE267C907F840B20FAC3BAEC3FE7EF27276F899B6C1A12D81388E7D182C5A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.835{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2F7E4D2F8F1CFB329EAE98BBF6701D,SHA256=3091082F8F741AD5C48B595BB0CC6DEF237D9C341A63D5988643145584897071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000969461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:12.362{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-62589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000969460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:15.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD4D451F1ED245B9B603DE11689CD858,SHA256=6DED08C12DE4327C3F0914A14BF6C55F933478771361E0840145BD5FDD5B14C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000969459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:29:15.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A91467CF108AD9B88C596A4DE8185C63,SHA256=E9D75CED9F14D70C74D73083878C2B5B0C76F2F77BB55E656B9CF2FDFA1E39B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.803{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.788{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.772{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.772{5EBD8912-80DB-6151-F378-00000000FC01}19325816C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001039431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DB-6151-F378-00000000FC01}1932C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-80DB-6151-F378-00000000FC01}1932C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.688{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DB-6151-F378-00000000FC01}1932C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.674{5EBD8912-80DB-6151-F378-00000000FC01}1932C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001039423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.651{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.651{5EBD8912-7F2D-614D-0A00-00000000FC01}616768C:\Windows\system32\services.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FC725199A7F0164CA23EA8B2425F5A,SHA256=01357A45B2BBAE1EBD5C033EB5CFEAE99446A99641AD6527B7F5D5E64CF09857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001039417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.588{5EBD8912-7F2D-614D-0A00-00000000FC01}6162560C:\Windows\system32\services.exe{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001039414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.580{5EBD8912-80DB-6151-F278-00000000FC01}6048C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001039413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.572{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.572{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.567{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.566{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.551{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.535{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001039385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.088{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52890-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001039384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.088{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52890-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001039383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.087{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52889-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001039382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:13.087{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local52889-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001039381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.998{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local52888-false20.199.120.85-443https 354300x80000000000000001039380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.983{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51119- 354300x80000000000000001039379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.806{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001039378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.543{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52887-false93.184.220.29-80http 354300x80000000000000001039377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:12.506{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local52886-false20.190.159.138-443https 10341000x80000000000000001039376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A9DD4F381B8C9163F264270820B2A8,SHA256=3F4AECA7CB05C686CFD47278C321A707438C6C92486F1D83D694B439B23A8FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001039369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.420{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5262526369879B290DE8071E40B841,SHA256=E6EA5DFABC0A53905A60190FB552A596B5B38E9F81D52660B6E4BAA8B2A89B77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.404{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DC0767FA3C82773EF4CC6F533A7D1BCE,SHA256=1E7034B7661910832DA5EBA78025DE260E7B1352D33AB9DE4506FDCF5DA14B2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001039343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B07DD3DCB3AE2081EE428FCA8FA046D,SHA256=CAFA6B250C84F2A7568536D9057F68FCEE2E0C307F653AA48DC6A2BF96D42B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001039342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.373{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.372{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.372{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.371{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.371{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.369{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.369{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.351{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.335{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EBD8912-80DA-6151-F178-00000000FC01}352C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001039305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:29:15.320{5EBD8912-7F2F-614D-0C00-00000000FC01}8284648C:\Windows\system32\svchost.exe{5EB